For companies leveraging mobile device technology, robust security measures are critical to protecting connected ecosystems. Ten to fifteen years ago, IT departments considered it their job to determine which laptops and mobile devices to issue to business users. Then came the bring-your-own-device (BYOD) trend.
Employees liked the convenience of using their own devices for work, and felt it increased their productivity. In most cases, companies cut costs when they no longer needed to purchase mobile devices for staff.
IT leaders recognized those advantages, but also the management and security risks that emerge when staff use their own devices to access the corporate network, business-critical applications or sensitive data. By 2014, the U.S. BYOD market was valued at nearly $30 billion and was expected to grow more than 15 percent a year through 2022, according to Global Market Insights. The majority of respondents to a Bitglass survey (85 percent) use their own devices at work.
Yet 30 percent of IT pros still have security concerns, citing data leakage, unauthorized data access, inability to control uploads and downloads, lost or stolen devices, and malware as top concerns. And the same percentage say the leading inhibitor of BYOD is company security concerns.
BYOD introduces significant issues in meeting increasingly stringent regulations. The European Union’s General Data Protection Regulation (GDPR), for example, requires the data controller to remain in possession of customers’ personal data, but that’s tricky when the data may be accessed from or stored on a device the company doesn’t own. That is why you must ask yourself the following question when establishing a BYOD policy:
- Who owns all the data types on the device (email, calendar, contacts, text, phone and location history, app data and photos)?
- What are the legal and policy decisions on the data types a company claims ownership of?
- What are the technical controls that a company adopts to control the data it owns?
BYOD policy also should define appropriate employee behavior. For example, employees might be asked to not install or use apps that are not on the company’s list of approved downloads.
Additionally, by implementing or extending enterprise mobility management solutions, such as mobile device management and mobile application management, to BYOD devices, IT can bolster company policies. MDM gives IT control over devices, while MAM gives IT control only over specific corporate applications and their data. Both MDM and MAM may be used together to enable security for corporate- and employee-owned devices, offering a package of safeguards that prevent employees from unknowingly compromising their devices. This includes limiting the apps that can be downloaded and the kinds of data apps can store; blocking company data from personal clouds; automatically updating devices; and requiring the use of VPNs instead of open Wi-Fi when users are offsite.
Some experts say that MAM may be the more appropriate solution for BYOD, providing a less invasive and more targeted way to enforce security requirements. For instance, with MAM, IT only can remotely wipe corporate apps and data on a BYOD device, while leaving personal apps and information intact. MAM can be deployed for enterprise email and to give secure access to other apps, such as collaboration tools and cloud storage.
And last but not least, zero trust is crucial for BYOD security. Establishing a zero-trust model will help isolate the device from the data, therefore the device is not trusted and all of the data remains on the company systems or in the company cloud. The bottom line is that BYOD security, like enterprise security, requires a multi-faceted approach that addresses the potential risks while minimizing intrusions on employee privacy and usability when it comes to personal use.